A model for social engineering awareness program for schools

Advancements in security has over the years of technological growth been mainly focused on providing secured technological infrastructure. The developed security measures and counter-measures have played a major role in reducing the surge of cyber-attacks. However, hackers have continued to exploit vulnerabilities due to the human element to gain access into otherwise secured systems. Risks and potential for exploits are more so in schools where the human vulnerability is enhanced by young impressionable pupils. Social engineering, the art of manipulating people so they give up confidential information, is increasingly the approach of choice for hackers who exploit the human element. Social engineers bypass secured systems in schools by directing targeting and exploiting the human vulnerabilities of school's students and staff. Education through awareness campaigns are typically used in countering the threat from social engineering. Such awareness campaigns tend to however be too holistic in focus to lead to the significant and sustainable change in behaviour required to counter social engineering. This paper presents a model for designing and implementing social engineering awareness programmes aimed at fostering behaviour change in schools. It demonstrates the process of designing a social engineering awareness program to meet all types of learning styles by using different multiple communication methods. Evaluation and continuous reinforcement approaches are also presented. A pilot implementation of our proposed model for social engineering awareness programme shows a significant change in behaviour of school's teaching staff.

[1]  Nafisah Kamariah Kamaruddin,et al.  A Survey of the Application of Multimedia in the Process of Teaching and Learning in KUiTTHO, Malaysia. , 2005 .

[2]  Tim Thornburgh Social engineering: the "Dark Art" , 2004, InfoSecCD '04.

[3]  A. Wood-Harper,et al.  A philosophical discussion of the root definition in soft systems thinking: an enrichment of CATWOE , 2006 .

[4]  Ira S. Winkler,et al.  Information Security Technology? Don't Rely on It. A Case Study in Social Engineering , 1995, USENIX Security Symposium.

[5]  E. Elstad Educational Technology in Schools , 2016 .

[6]  Sue Marquette Poremba Open to Attack , 2012 .

[7]  Christopher Hadnagy,et al.  Unmasking the Social Engineer: The Human Element of Security , 2014 .

[8]  Kallol Kumar Bagchi,et al.  An Analysis of the Growth of Computer and Internet Security Breaches , 2003, Commun. Assoc. Inf. Syst..

[9]  Sherry Y. Chen,et al.  The influences of cognitive styles on individual learning and collaborative learning , 2016 .

[10]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[11]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[12]  S. A. Jacob,et al.  Writing Interview Protocols and Conducting Interviews: Tips for Students New to the Field of Qualitative Research , 2012 .

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Peter Checkland,et al.  Learning For Action: A Short Definitive Account of Soft Systems Methodology, and its use for Practitioners, Teachers and Students , 2007 .

[15]  Michelle Beach,et al.  Transforming Teaching with Technology: 20 Tools to Capture the Classroom , 2013 .

[16]  Lynn F. Fischer,et al.  Security education, awareness, and training : from theory to practice , 2006 .

[17]  William E. Hefley,et al.  The People Capability Maturity Model : guidelines for improving the workforce , 2002 .

[18]  Jan H. P. Eloff,et al.  Information security: The moving target , 2009, Comput. Secur..

[19]  Mark R. Young,et al.  Enhancing Learning Outcomes: The Effects of Instructional Technology, Learning Styles, Instructional Methods, and Student Behavior , 2003 .

[20]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[21]  Yacine Rezgui,et al.  Information security awareness in higher education: An exploratory study , 2008, Comput. Secur..

[22]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[23]  Shaheen Shariff,et al.  Cyber-Bullying: Issues and Solutions for the School, the Classroom and the Home , 2008 .

[24]  John P. Rice,et al.  Children's cyber-safety and protection in Australia: An analysis of community stakeholder views , 2012 .

[25]  Michael G. Bailey,et al.  The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems , 2004, CITC5 '04.